Skip to main content
Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026|Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026
Best Practices

The HIPAA Audit Program, Part 2

In Part 1 of this series, we examined the purpose and general background of the HIPAA Audit Program. In this second part of the series, we will take an in-depth look into the HIPAA Audit findings to see what issues are tripping up providers the most. Remember: while the pilot phase of the program was intended to be educational, OCR has stated that future violations can and will be accompanied by sanctions, up to and including civil monetary penalties.

3 min read
hipaa compliance audit program|hipaa audit program and risk assessments

In Part 1 of this series, we examined the purpose and general background of the HIPAA Audit Program. In this second part of the series, we will take an in-depth look into the HIPAA Audit findings to see what issues are tripping up providers the most. Remember: while the pilot phase of the program was intended to be educational, OCR has stated that future violations can and will be accompanied by sanctions, up to and including civil monetary penalties.

The Mission of the HIPAA Audit Pilot Program

In its 2012 HIPAA Audit Pilot Program, OCR sought to create a cross section of providers and payers to assess the trends in HIPAA compliance. Included in this sample were large/medium/small provider groups, community hospitals, outpatient surgery clinics, pharmacies of all types, and many other entity types. However, despite the wide mix of auditees, OCR found patterns of HIPAA noncompliance about the Security Rule, the Privacy Rule, and the Breach Notification Rule. At a high level, OCR recently covered some of these major issues:

      1. Security gaps accounted for 60% of the audit findings

      2. Only 11% of all selected entities had no discovered HIPAA violations

      3. Smaller providers struggle the most with HIPAA compliance

Specific to the Security Rule findings, OCR learned that nearly two-thirds of all entities (including about 80% of all providers) either had not performed or had an incomplete risk assessment on file. Moreover, issues of access management, media movement (including PHI-containing mobile devices), and data encryption were found to be serious areas of concern, accounting for over one-third of all Security Rule violations. OCR even went as far as to diagnose the underlying cause: entities are simply unaware of the requirements they are violating.

hipaa audit program and risk assessments

Do Not Neglect your Risk Assessments

Fortunately for those selected in the pilot program, this “willful ignorance” was not enough to, in most cases, prompt sanctions. However, this is about to change. OCR undertook the year-long pilot to collect data about where the biggest HIPAA compliance gaps were to share with those who will be audited in the future. Providers have been effectively put on notice. So if you are a provider and have been neglecting your risk assessments, allowing workforce members to share PHI on their mobile devices, or are not encrypting all PHI in motion, now is the time to start righting the ship before the full audit program was rolled out in 2014.

In Part 3 of this series, we will cover the extension of the HIPAA Audit Program as well as the best practices providers should adopt to minimize their audit exposure.

Frequently Asked Questions

Find answers to common questions about this topic.

According to OCR findings, 89% of audited entities had discovered HIPAA violations, with only 11% having no violations found. This indicates widespread compliance issues across the healthcare industry.

The most common violations include incomplete or missing risk assessments (found in nearly two-thirds of entities), inadequate access management, improper media movement with PHI-containing mobile devices, and lack of data encryption. These issues accounted for over one-third of all Security Rule violations.

Yes, OCR has clearly stated that future HIPAA audit violations can and will be accompanied by sanctions, including civil monetary penalties. The pilot phase was educational, but ongoing audits will have enforcement consequences.

Yes, OCR found that smaller providers struggle the most with HIPAA compliance compared to larger healthcare organizations. This suggests that resource constraints and lack of dedicated compliance staff may contribute to higher violation rates.

Providers should prioritize conducting comprehensive risk assessments, implementing proper access management controls, securing PHI on mobile devices, and ensuring all PHI in motion is encrypted. These were the top areas of concern identified in the pilot program.

Krishna Kurapati

Written by

Krishna Kurapati

Founder & CEO

Founder & CEO of QliqSOFT with 20+ years of healthcare technology experience.

View all posts

Related Articles

hipaa healthcare compliance audit program|hitech hipaa audit program for health care
Best Practices

The HIPAA Audit Program, Part 1

As many CIOs or Compliance Officers can attest, it’s impossible to attend a healthcare privacy or security conference these days without running into Leon Rodriguez. Rodriguez, the Director of OCR/HHS, gives the same presentation at these events time and again, and, without fail, draws the highest attendance of any particular event session. While Rodriguez holds himself well at the podium, attendees are not exactly lining up in the standing room only section of the banquet hall to see public speaking virtuosity. No, they are there for the terrifying subject matter: the HIPAA Audit Program.

Krishna KurapatiKrishna Kurapati
3 min read
hipaa risk assessment audit
Best Practices

The HIPAA Audit Program, Part 3

In Part 2 of this three-part series, we took a deep look into the preliminary HIPAA Audit findings and observed the most common infractions identified by OCR. Specifically, security gaps accounted for the majority of results, with the lack of risk assessments and inadequate mobile device security being two of the most cited weaknesses. Fortunately for those selected in the 2012 pilot phase of the audits, OCR was primarily focused on using the exercise to educate covered entities of serious HIPAA issues.

Krishna KurapatiKrishna Kurapati
3 min read
wellpoint hipaa breach alert|wellpoint hipaa breach settlement
Best Practices

HIPAA Breach Alert: WellPoint fined $1.7M

In what is believed to be one of the larger HIPAA breach settlements in recent memory, health insurer WellPoint has agreed to settle with HHS for $1.7M stemming from a 2009 and 2010 incident where WellPoint impermissibly disclosed the ePHI of over 600,000 individuals through an unsecured online application. During its investigation, OCR found that WellPoint had not enacted the appropriate administrative, technical, and physical safeguards mandated under HIPAA.

Krishna KurapatiKrishna Kurapati
1 min read
3m left